From Anti-Patterns to Best Practices: A Practical Guide to DevSecOps Automation and Security

In the modern DevSecOps landscape, teams often struggle to achieve more with fewer resources, leading to the development of counterproductive habits. These habits can significantly hinder the ability to establish effective security programs. Our presentation aims to address these challenges by identifying common anti-patterns based on our experiences and observations in the field. We will highlight the problems associated with these habitual practices and offer concrete, practical solutions.

Throughout this session, we will guide you through the most prevalent anti-patterns identified in our security efforts and observed in other teams. Additionally, we will provide alternatives to these detrimental practices, along with a compilation of free and open-source tools endorsed by the community. These resources are instrumental in reinforcing strong security practices across different organizations. Join us as we delve into a narrative of anti-patterns, best practices, and the extensive potential of automation to enhance security measures.

Interview:

What's the focus of your work these days?

I'm the founder of a company in the Security Automation Space and its principal architect/security engineer.  We create solutions that radically improve the efficiency of any security engineering team.

What's the motivation for your talk at QCon London 2024?

To provide a list of the most common counter-productive behaviors observed by several security teams out there, how to recognize early signs of this and how it can be overcome with a mix of human intervention and automation.

How would you describe your main persona and target audience for this session?

Persona: developers or security folks
Level: medium+ 

Is there anything specific that you'd like people to walk away with after watching your session?

Security people are not the police, they are the team's physician.
 

Therefore, they are not there to add checks and balances; they're there to observe and advise on good habits that would lead to a long and healthy product life cycle. Talk to them the same as you'd talk to your physician.


Speaker

Spyros Gasteratos

Founder @Ocurity, Principal Security Engineer, Maintainer of opencre.org & github.com/ocurity/Dracon, 15+ Years Experience in Security

Spyros has over 15 years of experience in the security world. Since the beginning of his career he has been an avid supporter and contributor of open source software and an OWASP volunteer. Currently he is interested in the harmonization of security tools and information and is currently helping Fintechs setup and automate large parts of their AppSec programmes. He also maintains several Open Source projects including the security automation framework Dracon, and opencre.org, the worlds largest security knowledge graph. Also, he usually doesn’t speak about himself in the third person.

Read more
Find Spyros Gasteratos at:

From the same track

Session Ethical AI

Trends in InfoSec: Data Minimisation, Autoclassification, and Ethical AI

Wednesday Apr 10 / 11:45AM BST

Laws are changing around the world to require frequent disposal of high-risk information, to reduce the impact of (inevitable) breaches. As such, ‘records management’ is now cyber discipline, but one that has not previously been well enabled by technology.

Speaker image - Rachael Greaves

Rachael Greaves

CEO & Co-Founder @Castlepoint Systems, Australia's Most Outstanding Woman in IT Security, RegTech Female Entrepreneur of the Year, Women in Fintech Powerlist, Top 100 Innovator, CISM, CISA, CDPSE, & CIP

Session zero trust

A Zero Trust Future for Applications: Practical Implementation and Pitfalls

Wednesday Apr 10 / 10:35AM BST

If you are building applications which are critical for your organization's revenue than you would be looking at a zero trust future for most of the applications.

Speaker image - Ashish Rajan

Ashish Rajan

CISO @Kaizenteq Ltd, Host of "Cloud Security Podcast", and SANS Trainer for Cloud Security, 13+ Years Experience in the CyberSecurity Industry

Session

Poetry4Shellz – Avoiding Limerick Based Exploitation and Safely Using AI in Your Apps

Wednesday Apr 10 / 02:45PM BST

LLM based AI has introduced huge shifts in the technology landscape in a very short amount of time, a consequence of which has been the immense pressure on organizations of all types to adopt and/or develop any and all things AI.

Speaker image - Rich Smith

Rich Smith

Session

Beyond the Breach: Proactive Defense in the Age of Advanced Threats

Wednesday Apr 10 / 01:35PM BST

This talk will cover some of the most advanced attacks that are in the public domain, mostly attributed in public by commercial organizations.  This talk will give a whirlwind tour of some of the high end of threat activity to set out a context of changing cybersecurity landscape.

Speaker image - Michael  Brunton-Spall

Michael Brunton-Spall

Deputy Director Cyber Policy and Solutions @Cabinet Office